Forget mobile-device strategy: Here's a better way.

Federal agencies should not be planning for mobile device management, but rather mobile data management, advised speakers at a seminar at the FOSE government technology conference on April 3.

With new mobile devices being developed commercially every few months, a device-centric strategy is never going to keep up, said Anil Karmel, management and operations chief technology officer for the National Nuclear Security Agency.

“We’re looking at it in a different way that is completely data-centric,” Karmel said.

The three keys in planning are:

Determining where the data is resident;

Identifying the locations where it needs to be accessed, and;

Deciding how it should best be transported.

The answers determine what type of mobile data architecture should be used, he said. For security, the agency is using containerization and virtualization strategies. The agency has developed a draft Bring-Your-Own Device strategy that is being reviewed for approval, Karmel said.

At the National Security Agency, personal mobile devices, including phones, are not allowed in the building, said Troy Lange, mobility mission manager.

While that policy has not changed yet, it's possible that it could. The agency realizes that people depend on their devices and that potential new employees, especially younger ones, might be discouraged if it continues to bar all personal devices, Lange said.

A possible solution, he said, is for the NSA to develop enterprise mobile devices that can be used by employees while in the building for their personal calls and email.

The NSA has been exploring various solutions for enterprise mobility and is looking to industry to help provide some solutions. Because of the agency’s unique security requirements and closed classified systems, the marketplace mobility management solutions are not feasible, Lange said.

The NSA recently posted a capabilities package on its website seeking feedback from vendors on how to develop an enterprise mobile solution with adequate security.

“Our belief is that the financial or medical industry may be able to help us get traction on this,” Lange said.

At the Veterans Affairs Department, officials decided that developing a Bring Your Own Device policy for all types of mobile devices was not feasible, said Don Kachman Jr., director of security assurance and mobile technologies for the department.

“BYOD is not a technology issue, it is a policy issue,” Kachman said. Policies would need to be developed for what happens when devices break, when there need to be investigations, and many other contingencies, he said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

OPM is partnering with CSID to try to manage the fallout from a massive breach of some 4 million federal personnel records.

Reader comments

Wed, Apr 4, 2012
Henry

Most cyber-defense groups have been pushing data-centric security for many years. But unless you control everything under the data, your senstive details are easily pwn'd. This is where the cloud comes into play - if you can keep your data in the remote network and leak only humnan-views and human-directions (gestures, clicks, etc.) then the info that even a completely pwn'd device can exfiltrate is limited.

Wed, Apr 4, 2012
Richard

Good idea! Think outside the device!!

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.